At Thu, 27 Mar 2008 10:39:31 -0700, Paul Hoffman wrote: > > At 11:54 AM -0500 3/27/08, Dean Willis wrote: > >OpenSSL can generate SAN. None of my certs have it . > > Off-listk, Dean told me that his certs are CA certs, which indeed > should not have the domain name in the subjectAltName. > > But the bigger question is: how important is being able to handle > legacy certificates for this protocol?
Uh, absolutely critical? If people have to jump through major hoops to get certs for SIP, they won't. > In specific, section 7.1 of > the document says: > > I-D.sip-eku [9] describes the method to validate any Extended Key > Usage values found in the certificate for a SIP domain. > Implementations MUST perform the checks prescribed by that > specification. 1. This isn't a requirement that the certificates HAVE this EKU, just that you validate it. 2. It's not clear to me there is consensus for this now levy. -Ekr _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
